Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 55 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Main changes and whats new on the website.

Date Page Description
26 Sep 2007 New Oracle Security presentation added I have just uploaded two versions of my presentation from the UKOUG Windows SIG held on September 25th 2007.
13 Sep 2007 New Oracle Security papers added I have just added 5 papers that I have presented over the last year and a bit to my Oracle security white papers page.
13 Feb 2006 New Oracle blogs news aggregator added I have just added a new Oracle blogs aggregator to my site, It's available from the link above or via the menu options.
25 Jan 2006 New speaking dates added Just added a link to the PSOUG Oracle day 2006 where i will be speaking.
09 Jan 2006 Pete Finnigan in the news updated Just added another link to me in the news.
20 Nov 2005 More speaking events added I have just added two new speaking events to my index page. Links to the events are added.
19 Nov 2005 Oracle security papers I have just added a good Oracle security checklist to my Oracle security white papers page.
9 Nov 2005 In the news updated I have added some recent news reports that mention my name in my in the news section.
9 Nov 2005 Added my presentation from the OUG Glasgow October 2005 I have just added my presentation from the OUG Scotland Glasgow October 2005 event.
3 Oct 2005 Added an undocumented Oracle paper I have just added a link to a paper about oradebug written by Mladen.
8 Sep 2005 Some fixes to the main page I have made some fixes to the index page. Some broken URL's, added a link to the Oak Table, added a link to the OUG Scotland conference...
7 Sep 2005 Oracle internals page updated I have just updated my internals page to add a paper by Kurt Van Meerbeek about his jDUL/DUDE tool that can be used instead of DUL (Data UnLoader), Oracles tool for saving data from crashed databases.
7 Sep 2005 Oracle Security tools page updated I have just updated my tools page to add details of Kurt Van Meerbeek's jDUL/DUDE Oracle data unloader program.
6 Sep 2005 Oracle internals page updated I just updated the internals page and added a link to the Oracle Data UnLoader (DUL) configuation guide. I have also added a page from the same site that details how DUL can be used with examples.
3 Sep 2005 Oracle Security White papers page updated I found another Oracle security checklist that I have added to my Oracle security white papers page.
29 Aug 2005 Site revamp I have just completed making quite a lot of changes to the site. Regular visitors may have noticed that the logo no longer contains the word Limited and the index page now is non commercial and summarises the site and the information available there.
27 Aug 2005 Oracle Security Tools page updated I have just added the Oracle dictionary and brute force password cracker written by 0rm of toolcrypt.org
26 Aug 2005 Oracle Security Tools page updated I have updated the entries for Alex Kornbrusts Checkpwd for Windows and Linux as version 1.1 is now available. Also Alex has added two new Linux versions.
25 Aug 2005 Oracle Security Tools page updated I have just corrected the author for the orabf.pl Oracle database brute force script and also changed the link from what i was given to a new one.
24 Aug 2005 Oracle Security Tools page updated I have just added a perl script that can be used to brute force a connection to an Oracle database.
24 Aug 2005 Oracle Security Tools page updated Alex has just released a Linux version of his Oracle password cracker. I have added this to the tools page.
22 Aug 2005 Oracle Security Tools page updated I have just added links to Alex Kornbrusts Oracle standalone password cracker. This is a dictionay tool.
16 Aug 2005 Oracle Security Tools page updated I have just corrected the link to version 2.0 of Josh's hashattack tool on the tools page.
12 Aug 2005 Oracle Security Tools page updated Just added a link to the DokFLeed Oracle TNS client tool. This tool is a full up re-write of the tnscmd.pl utility and supports all commands.
11 Aug 2005 Oracle Security Tools page updated I have just updated the tools page to add a new link for the hashattack tool. Josh has made some updates to it as version 2.0
11 Aug 2005 Undocumented Oracle page updated I have just updated my undocumented Oracle page to add a link to a good page on the PSOUG site describing the Oracle oradebug tool.
09 Aug 2005 Oracle Security Tools page updated I have added a link to my tools page for the Adam Martin PL/SQL based Oracle password cracker. This cracker is no longer available from its original link. This new link is to details of the cracker on the web archive but the download link does not work. If anyone knows where this tool can be currently be downloaded then please let me know.
08 Aug 2005 Oracle Security Tools page updated I have just updated my Oracle Security tools page and added details of Josh Wrights hashattack tool that can be used to pre-compute password hashes for Oracle accounts so that they can be checked offline for a known user. For instance pre-computing for the SYS, SYSTEM, DBSNMP and OUTLN users would be useful.
01 Aug 2005 Oracle Security Tools page updated I have just updated my Oracle Security Tools page to include a new commercial product I have just found called Ingrian DataSecure. It offers seamless network appliance based security and encryption.
26 Jul 2005 Small text corrections on the default password list page I have clarified the text for email contact on the default password list page.
25 Jul 2005 New Oracle Security Forum added to the site On Saturday I added a new Oracle Security forum to my site and did some initial configuration to it. The boards and categories are my first attempt at its layout. Please come and visit and ask questions, post comments etc.
22 Jul 2005 Pete Finnigan in the news updated I have just added a new link to an article by Lisa Vaas of Eweek about the latest Oracle email urging customers to apply the CPU April patch yet again.
20 Jul 2005 Pete Finnigan in the news updated I have just updated my Pete Finnigan in the news page to add two links to an article written by Joris Evers of CNET. The articles are essentially the same except for the commentary at the beginning of the second.
15 Jul 2005 Pete Finnigan in the news updated I have just updated my Pete Finnigan in the news page as I am quoted in a German article on Heise.de.
13 Jul 2005 Pete Finnigan in the news updated I have just added a new news article written by Shawna to my in the news page as I am quoted in this article.
12 Jul 2005 How to set the Oracle database listener password Thanks to Marc, I have just corrected the title of this page.
12 Jul 2005 WinSID tool added to tools page I have just added a new free tool to the tools page. This is Paul Breniuc's WinSID tool that can be used to query a local or remote listener for details of its set up.
02 Jul 2005 New Site added I have just added a new website to my domain as a sub-domain called http://web.petefinnigan.com to talk about and collate information on web site development. I have added this as a separate site as it is off topic for Oracle security but I have been collecting information and learning quite a bit about site development over the time I have run this site and I would like to share it. Check out the site from time to time.
06 Jun 2005 Tools page updated I have just updated the tools page in the commercial section for the DBA Audit tool from SoftTree Technologies Inc to show that the DBA Audit 2.5 is the latest version of the software.
03 Jun 2005 In the news page updated I have just updated the Pete Finnigan in the news page to add a link to the recent Lisa Vaas EWeek story about Alex Kornbrusts Metalink hacking exploits.
07 May 2005 Tools page updated I have just updated the tools page to correct the spelling of Jan-Marten Spit's name.
03 May 2005 Tools page updated I have just updated the scripts who_can_access.sql, who_has_priv.sql and who_has_role.sql to allow the user of the scripts to exclude a user or set of users if they wish. This can be useful to prevent a user from displaying in the report if it is not relevant to the audit task being performed.
29 Apr 2005 Tools page updated I have just updated my tools page to add a note about Tim Gorman's excellent fileprobe.sh script that has been updated.
23 Apr 2005 weblinks page updated I have just updated the weblinks page to change Inventioconsulting to www.greenlighttraining.co.uk as the company have changed names.
23 Apr 2005 Oracle security papers page updated I have just updated my Oracle security papers page and corrected a number of links on there that pointed to govt.oracle.com and osi.oracle.com as these are no longer valid Oracle sites. All of the papers involved are from Tom Kyte and now correctly point at asktom.oracle.com. Thanks for the update Tom!
13 Apr 2005 Pete Finnigan in the news updated I have just updated the Pete Finnigan in the news page to include a SearchSecurity news item where Shawna McAlearney quotes me about CPU April 12 2005.
04 Apr 2005 Audit scripts updated I have just made some simple updates to all of the audit scripts find_all_privs.sql, check_parameters.sql, who_has_priv.sql, who_has_role.sql and who_can_access.sql to add "whenever sqlerror continue" so that any subsequent SQL statements that have an error do not barf SQL*Plus.
03 Apr 2005 Oracle Security tools page updated I have ammended the commercial tools section of my Oracle security tools page to include a link to red-database-security.com new tool repscan.
31 Mar 2005 Oracle Security tools page updated I have just added a link to nCiphers SecureDB product that has been added to the commercial section of my Oracle security tools page.
25 Mar 2005 Oracle Security tools page updated I have just added a new free Java based Oracle password management tool. This tool is hosted on this site and was written by Noel Talard.
19 Mar 2005 Oracle Security tools page updated I have just updated the link to Mark Woan's C# .NET GUI tool for checking default Oracle passwords. The link he had provided previously has changed to a permanent one instead of one generated by his CMS system.
14 Mar 2005 Oracle Security tools page updated I have just updated the free section of the Oracle Security Tools page and added a link to Mark Woan's new .NET GUI default password checking tool.
8 Feb 2005 Oracle Security tools page updated I have just updated the name for the Russian PL/SQL based password cracker from Bead Dang to the correct name Bear Dang.
5 Feb 2005 Oracle Security tools page updated I have just added a link to a new free Oracle security tool on my Oracle security tools page. This is the Oracle Password Repository (OPR) tool used to manage Oracle usernames and passwords instead of hard coding them.
25 Jan 2005 Undocumented Oracle page updated I have updated the undocumented Oracle page again, twice in one day!. I have added a link in the Oracle / Baan section to some free software that can be used to implement password ageing in Baan which is required for Sarbanes Oxley compliance in the states.
25 Jan 2005 Undocumented Oracle page updated I have updated the undocumented Oracle page. This page is also used to include details of security and Oracle in relation to other systems such as Baan, SAP, Oracle Applications etc. I have just added a link to the Integrigy security analysis paper for CPU - Jan 2005 for Oracle Applications.
23 Jan 2005 Alerts page updated to add Integrigys advisory I have just updated the alerts page for the new CPU - Jan 2005 advisory from Oracle to add details of Stephen Kost's Integrigy security advisory for the issues he has found.
22 Jan 2005 Pete Finnigan in the news page updated I added a new page to record news articles where Pete Finnigan or PeteFinnigan.com Ltd are quoted in the news some time back when I added all my new menus. I have just updated this page to add all of the recent news articles that I know of that quote Pete Finnigan or PeteFinnigan.com Ltd.
18 Jan 2005 New security advisory released I have just added a new advisory to my alerts page for the new scheduled quarterly patch fixes.
05 Jan 2005 Contact details updated I have just updated the contact details page to include new address details.
02 Jan 2005 Default password list updated I have just updated the default password list to include 2 new default users and passwords and I have also corrected 21 default accounts in the tool script default password checker that had unwanted space characters after their names.
30 Dec 2004 Tools page updated I have just updated the tools page to add a free Log Analysis tool called LMon that allows log files to have rules set against them so that alerts can be generated if rules are matched.
27 Dec 2004 Alerts page updated for alert 68 I have just updated the alerts page to include details released a couple of days ago about the bugs found by NGS.
24 Dec 2004 Site statistics page added The web sites statistics page has just gone live. You can see the average numbers of visits, page views, hits, files and kilobytes for each month as well as details for each day of the month.
20 Dec 2004 Tools page updated The tools page has just been updated to correctly move the Helix recovery CD to the free tools section from the commercial section where it was wrongly placed and also to add two new commercial database auditing tools, SoftTree and Ambeo.
20 Dec 2004 Sitemap generation updated The site map generation has just been updated to fix the weblog entries where there was a trailing double quote on each entries description. I have also added one of the most important site files to the map generation. This is the RSS feed for the weblog which was missing before.
17 Dec 2004 Tools page updated I have just updated the tools page to add a link to the Helix CD that I talked about recently in my Oracle security weblog. This CD is a live linux distribution that is aimed at incident response and forensics.
14 Dec 2004 Sitemap page added I have just added a sitemap page to my site. A number of people have emailed me in the past and suggested I add one to make it easier to find pages that they need, especially when using web browsers that do not display my menus properly such as Konqueror. The sitemap is generated with a perl script called sitemap.pl from James Walker and available from www.webwalker.to. This is an excellent script that only needed simple configuration to add global settings for file types, directories to exclude that are site specific.
30 Nov 2004 Tools page updated I have just updated the tools page to add a link to the excellent Linux on a floppy distribution that i found recently. It can be found here.
23 Nov 2004 Default password list updated I have just updated the default password list to clarify the inclusion of the SAP users listed. This has meant defining SAPR3 as the SAP schema account and the two entries for SAP and one for DDIC as SAP application accounts. I have also added a specific SAP default user account page to clarify what these accounts are used for and how to identify them.
22 Nov 2004 Tools page updated I have just updated the tools page and added a new dependencies analysis tool called oraDep that can be used to analyse the relationships between objects in the database and also source code. This has been added to the commercial section.
19 Nov 2004 Default Password Checker updated I have just updated the default password checker scripts to allow a password that is encased in quotes to be set for the ORAPROBE user.
18 Nov 2004 Tools page updated I have just updated the tools page to add a link to the default password checker scripts.
16 Nov 2004 Oracle default password list released I have just added the new Oracle default password and hashes page to the site. The page includes 596 default Oracle accounts and passwords. It includes MS Excel, OO Spreadsheets, SQL insert file, HTML and CSV versions of the data.
16 Nov 2004 Default password checker updated up to 600 default accounts I have just updated the default password checker archive to include a new spreadsheet that has 596 default oracle accounts in it and I have updated the table definition (OSP_ACCOUNTS) so that it will hold password hashes up to 30 characters. I have also added a new data load script that includes all 596 default accounts.
10 Nov 2004 readme.txt added to the default password archive I have updated the default password checker tool page to include the file descriptions in a better order, starting with the installation files. I have also created a readme.txt file and added it to the archive.
09 Nov 2004 New Default password checking tool released I have just added a new default password checking tool to the web site that has been written by Marcel-Jan Krijgsman who works for Transfer Solutions.
08 Nov 2004 Site layout updated I have just updated the web site and added about 27 new pages and updated the menus to reflect these new pages. Most of these are an insurance against doing many changes to the menus. Most of the new pages have "one liners" on them but will soon see new content. See this blog entry for more details.
05 Nov 2004 Updated tools page to reference Patrik Karlsson's new tool OScanner I have just updated my tools page to add a link to the new plug-in based Oracle security scanner from Patrik Karlsson at cqure.net. This looks like an excellent tool and should be easily extendible. The tool is written in Java and includes a good set of basic checks in its first version.
03 Nov 2004 Added part 4 of Jim Czuprynski's Oracle label security paper I have just updated the Oracle security white papers page to add the final part, part 4, of Jim Czuprynski's excellent paper covering Oracle label security.
29 Oct 2004 Oracle white papers page updated to include new links to Roby Sherman pages I have just updated the Oracle white papers page to add extra links to the 7 Roby Sherman Oracle security papers as the Original links are broken.
22 Oct 2004 Amazon now supports searching inside the SANS book I have just added a link to the Amazon page where the SANS book is shown as I have just found out that Amazon now supports searching inside the book.
22 Oct 2004 check_parameter.sql added to tools page I have just added the final script in the series of five Oracle auditing tools to my tools page. This is a script to display and check initialization parameters.
20 Oct 2004 SANS book code updated I have just made a small update to the code shipped with the SANS Oracle security step-by-step guide due to an error in the script action_3_8_6.sql. The zip file on this page has been updated.
15 Oct 2004 Tools page updated to add who_can_access.sql script I have just updated my tools page to add a script who_can_access.sql which can be used to find users and roles that have been granted access to specific database objects.
09 Oct 2004 Tools page updated to add who_has_priv.sql script I have just updated my tools page to add a script who_has_priv.sql which can be used to find users and roles that have been granted a specific system privilege.
07 Oct 2004 Tools page updated with new commercial Oracle security tools I have just updated my tools page again to include some new tools from Application Security Inc and also a tool called The Data Masker.
05 Oct 2004 New script who_has_role.sql added to tools page I have just updated my tools page and added a new script who_has_role.sql that can be used to check which users and roles have been granted the role being checked.
03 Oct 2004 Tools page updated I have just updated my tools page and added some new commercial Oracle security tools that may be of interest to readers.
23 Sep 2004 RSS feed added for Oracle security weblog I have syndicated my new Oracle security weblog. A link can be found here RSS 1.0 FEED
Powered by gm-rss
21 Sep 2004 Oracle security weblog added A new Oracle security web log has been added to the PeteFinnigan.com web site. This Oracle security web log will bring news of new papers, articles, tools, products and news specific to Oracle security.
16 Sep 2004 Alex Kornbrusts advisories added to alert #68 Alex Kornbrust has added three advisories for Oracle alert 68. Links to these three advisories for Oracle alert 68 have been added to my alerts page.
01 Sep 2004 Advisory released as part of Oracle alert #68 A new entry was added to the Oracle security alerts page to describe the new monthly security patch release from Oracle starting with Oracle advisory #68. Oracle advisory #68 included bug fixes in the new Oracle 10g scheduler found by Pete Finnigan in conjunction with Alex Kornbrust and Jonathan Gennick.
05 Aug 2004 News:- David Litchfield announces he has found 34 bugs A new short link has been added to a news interview given by David Litchfield after his DEFCON presentation about the fact he has found 34 more security bugs in Oracle.
05 Aug 2004 mod_ssl format vulnerability found in log_ssl used by Application server A format string vulnerability has been found in the log_ssl() functions of mod_ssl open source software used by the Oracle application server. A link to the open source advisory has been added to my alerts page.
13 June 2004 New Oracle advisory released Oracle have released advisory #67. i have added details to my alerts page and links to Oracle and Stephen Kosts advisories.
11 June 2004 New paper by Miladin Modrakovic added Miladin Modrakovic has written a new paper on how to access the SGA directly in C. This is work base on Kyle Haileys earlier presentation on the same subject.
23 April 2004 Undocumented Oracle page updated I have updated my other Oracle article links page and added a few links to undocumented Oracle papers and Oracle internals papers.
22 April 2004 Search page added using google I have finally got around to adding some content to the search page that has been there for a few weeks and I have added a google search of this site and the web. Hope its useful to everyone!
18 April 2004 Update to Oracle security alert 66 Oracle have released an update to security alert 66 and now credited the discovery to Ioannis Migadakis and he has also released a detailed advisory. Please have a look at my alerts page for details.
02 April 2004 Three new papers added to ramblings page Three new short papers added to my ramblings page. One on locking the SGA shared memory in core, one on how to avoid the call to dbms_obfuscation_toolkit being seen in clear text in the SGA and the third showing that the failed_login_attempts parameter will not help to lock out the SYS account if a brute force attack is done.
26 March 2004 Tools page substantially updated The tools page has been substantially been updated to include details of many free Oracle security tools and also a list of commercial tools that are available. This includes scanners, password crackers, auditing and vulnerability check tools.
19 February 2004 Alerts page added A new Oracle security alerts page has been added to give comments on the discoverers advisory and how it compares to Oracles.
11 February 2004 Ramblings page added New FAQ, tips pages added called "ramblings". This page wuill include tips on setting up, changing or removing items to do with Oracle security.
7 December 2003   Added menu links to the footer of every page as some users of the site had requested this helpful addition.
17 November 2003 new Oracle security paper by pete Finnigan Part 2 of a new Oracle security paper showing how to implement row level security within an Oracle database hase been published Oracle Row Level Security: Part 2
12 November 2003 Oracle security checklists added Two major Oracle security checklists have been added to the oracle security paper section of the website. These are the Oracle database security benchmar and also the SANS S.C.O.R.E. documents.
7 November 2003 new Oracle security paper by pete Finnigan Part 1 of a new Oracle security paper showing how to implement row level security within an Oracle database hase been published Oracle Row Level Security: Part 1
23 July 2003 new Oracle security paper by pete Finnigan New Oracle security paper showing how SQL injection can be detected in an Oracle database has been published Detecting SQL Injection in Oracle
15 July 2003 The first PeteFinnigan.com newsletter is published The first PeteFinnigan.com newsletter has been published and sent out to subscribers. The newsletter is available from Newsletters!
29 April 2003 new Oracle security paper by pete Finnigan New Oracle security paper on Oracle audit is published on security focus. An introduction to simple Oracle auditing
7 April 2003 Oracle security white papers and articles 65 links to Oracle security papers, articles and presentations written by Pete Finnigan and many other authors from around the world.
22 January 2003 SANS Oracle step-by-step The SANS Oracle step-by-step - A survival guide to Oracle Security has been published and is now for sale On the SANS store webstite at http://store.sans.org.
28 November 2002 Oracle papers The second part of my paper on SQL injection and Oracle was published on security focus. See SQL injection and Oracle - part 2
21 November 2002 Oracle papers The first part of my paper on SQL injection and Oracle was published on security focus. See SQL injection and Oracle - part 1
20 November 2002 sqlinject.sql SQL code for the securityfocus SQL injection for Oracle paper posted.
19 November 2002 home The new look web site has been posted up.